By Richard E. Cascarino Copyright 2012 by Richard E. Cascarino
APPENDIX C
Logical Access-Control Audit Program
Questions Yes No N/A COMMENTS
The widespread use of communications networks has shown that physical controls provide limited value in protecting the data stored on and processed by the computer. Logical controls restrict access to specific systems to authorized individuals and to the functions each individual can perform on the system. Logical security controls enable the organization to: Identify individual users of IT data and resources. Restrict access to specific data or resources. Produce audit trails of system and user activity. Audit Procedures: Each type of software has an access path. Access paths are those areas or points where access may be gained to the system. When accessing the computer system, a user may pass through one of multiple software levels before obtaining access to the data resources (e.g., data, program libraries, etc.). a) Review all possible access paths to the data resources to determine that the security features in each piece of software are utilized to minimize the vulnerabilities. Pay specific attention to backdoor methods of accessing data by operators and programmers. b) Interview management and review documentation to determine if integrated access-control software is used to streamline security administration and improve security effectiveness.
393
bapp03.indd 393 1/31/2012 9:35:45 AM
394 Appendix C
Questions Yes No N/A COMMENTS
c) Control points are those areas on the softwares access path that may be used to control and protect data resources. An access-path schematic identifies the users of the system, the type of device from which they access the system, the software used to access the system, the resources they may access, the system on which these resources reside, and the modes of operation and telecommunications paths. The goal of the access path schematic is to assist in the identification of all the control points that could be used to protect the data stored on the system. Review control points for the application to assess their propriety. d) Identification is the process of distinguishing one user from all others. Authentication is the process of determining whether individuals are who they say they are. Passwords are used to control access to the computer environment. While passwords are widely used for authentication, they are not conclusive identifiers of specific individuals because they may be guessed, copied, overheard, recorded, and played back. If authentication is achieved by use of passwords, review the procedures, observe the operations, and interview user staff to ensure that: Passwords are controlled by the owner. Passwords are changed periodically; the more sensitive the data or the function, the more frequent the changes. Passwords are not displayed when they are entered. Minimum character length is set for the passwords. Use of names, words, or old passwords are prohibited. Users of data and resources are uniquely identified. It is not advisable to use group IDs or passwords. If authentication is achieved by possession of identification devices such as ID cards, access cards, keys, and so on, review the devices and observe the operations to evaluate the effectiveness of this method. Authentication of individuals by physical or behavioral characteristics is also known as a biometric technology. This is an automated method of verifying or recognizing the identity of a person based on physiological or behavioral characteristics. Biometric devices include fingerprints, retina patterns, hand geometry, speech patterns, and keystroke dynamics. If this authentication method is used, review the devices and observe the operations to evaluate the effectiveness of this means.
bapp03.indd 394 1/31/2012 9:35:45 AM
Logical Access-Control Audit Program 395
Questions Yes No N/A COMMENTS
Access-control software allows the identification and authentication of users, the control of access to information resources, and the recording of security-related events and data. Access-control software is important in enforcing the change control process through the segregation of development, testing, and production environments. Many types of software contain features that are designed or may be used to provide security. It is preferable to use access-control software to secure the total environment or to complement the features provided by specific software. Access-control software provides comprehensive and coordinated security. a) When security software is initially installed, the protected resources, authorized-user identifiers, and passwords must be identified or defined to that software. Security profiles may include user or resource passwords used to control access to specific program functions of data files. Review the security tables to determine that they are encrypted. b) Each user can be assigned a scope of access, and each resource a degree of protection. Resources that should be protected from unauthorized access include: Application systems program libraries. System software program libraries. Data files and databases. Job-execution-language statement libraries. Selected processing functions (modules) of applications programs. Sensitive utilities that can bypass normal security controls Data dictionary files and programs. Review the access rules for all the resources that should be protected to evaluate their propriety. c) Review responses to security violations for propriety. Responses could include termination of processing, forced shutdown of terminals, issuance of warning or error messages, and writing of audit trail records. The desired audit trail for security violation is selected during implementation. Evaluate the effectiveness of audit trails; such data may include user ID, resource accessed, date, time, terminal location, and specific data modified during the access. Review access-control software to determine that the following controls are in place: 1. Access to the system is restricted to authorized individuals.
bapp03.indd 395 1/31/2012 9:35:45 AM
396 Appendix C
Questions Yes No N/A COMMENTS
2. Access to the processing functions of application software is controlled in a manner that permits authorized users to gain access only for purposes of performing their assigned duties and precludes unauthorized persons from gaining access. 3. Access rules or profiles are established in a way that restricts departmental employees from performing incompatible functions or functions beyond their responsibility, and also enforces proper separation of duties. 4. Procedures are enforced so that application programmers are prohibited from making unauthorized program changes. 5. User/application programmers are limited to the specific types of data access (e.g., read, update) required to perform their functional responsibilities. 6. Security profiles or tables are protected from unauthorized access and modification. Access to these profiles or tables is restricted to certain access paths. 7. Security tables or profiles are encrypted to restrict unauthorized use. 8. Security profile-override capabilities are restricted. 9. Security data and resource access audit trails, including audit trails of the use of the access-control software, are protected from unauthorized modification. 10. M odifications or changes to the access-control software itself are restricted to the appropriate personnel, and those changes are made according to authorized procedures. Certain types of communications software can restrict access to the telecommunication network and to specific applications located on the network. Controls limiting access to a network and to sensitive resources are specified in the communications software through an authorized exit routine or table. Access to this exit or table is restricted to the appropriate individuals. Access to sensitive data and resources in the network is controlled by: Verifying terminal identifications. Verifying logons to applications. Controlling connections between telecommunications systems and terminals. Restricting an applications use of network facilities. Protecting sensitive data during transmission.
bapp03.indd 396 1/31/2012 9:35:45 AM
Logical Access-Control Audit Program 397
Questions Yes No N/A COMMENTS
Automatically disconnecting at the end of a session. Devices and applications sharing similar security requirements are placed in an isolated network with restricted operational and user access. Network software is configured, through the use of optional journals, to provide extensive network activity logs. Tables used to define network options, resources, and operator profiles are protected from unauthorized access and modification. Operator commands that can shut down network components can be executed only by authorized users. Dial-in access to the system is closely monitored and protected. In-house access to communications software is protected, and control over changes to the software is in place. Precautions are taken to ensure that data are not accessed or modified by an unauthorized user during transmission or while in temporary storage. Access to telecommunications hardware or facilities that can monitor transmissions is restricted. Precautions are taken to ensure that data are not accessed or modified by an unauthorized user during transmission or while in temporary storage. Application systems consist of data and programs specifically written to perform a business function. Library-management software can be used to store, maintain, and protect source program libraries, job execution language libraries, and in some instances data files and object program libraries. Library management software packages differ in the type of program libraries they can protect, the levels of security they can provide, and the audit trails they can produce. The libraries must be supported by adequate change control and documentation procedures in order to provide a well- controlled change environment. The software system may not be effective unless supported by detailed procedures, including formal authorization to transfer programs; verification by user or Information Systems (IS) management that all changes are authorized and applied correctly; restricting performance of the change-control procedures to a specific change-control function; source programs copied to production libraries and re-compiled; control over emergency changes; emergency access granted for the purpose of resolving the problems should be immediately revoked after the problem is fixed; and all actions taken during the emergency should be automatically logged.
bapp03.indd 397 1/31/2012 9:35:45 AM
398 Appendix C
Questions Yes No N/A COMMENTS
Library-management system maintains an audit trail of all activity against the libraries. One important control function performed by the library-management software is the maintenance of a program-change log. Information provided includes the program name, version number, specific changes made, maintenance data, and programmer ID. The library-management software has a facility that compares two source-code program versions and reports any differences. Access to programs or other items stored by the library- management software is limited to certain access paths. Access to passwords or authorization codes is restricted to authorized individuals and passwords are changed on a routine basis. Access to library-management software is protected, and controls over changes to the software are in place. Precautions are taken to ensure that the library-access definition tables are not modified by an unauthorized user. Additional procedures are in place to ensure that the correct versions of production programs reside in object program libraries when these libraries are not protected by the library-management software. Database management system software (DBMS) is used to control, organize, and manipulate data; provide multiple ways to access data in a database; and manage integrated data that cross operational, functional, and organizational boundaries within an organization. Data dictionary (DD) software provides a method for documenting elements of a database and may also provide a method of securing data in a database management system. DD software interfaces closely with the DBMS. The ability to add or update the DD should be controlled to ensure the integrity of the documentation. All updates to the DD should produce an audit trail so that an automated record of all changes and a means of recovery from disruptions can be maintained. Determine that: Access to data files is restricted at the logical data view, field, or field-value level. Field-level security pertains to the sensitive nature of the fields (salary). Field-value-level security pertains to the contents of a field. Access to the DD is controlled by using security profiles and passwords within the DD software. The DD may use the DBMS to store the information in a database format. Therefore, the database must be secured using the various access-control facilities built into the DBMS software. Because the storage medium for the DD contents is a database, the same audit-trail features that are in place for application databases should also exist for the DD.
bapp03.indd 398 1/31/2012 9:35:45 AM
Logical Access-Control Audit Program 399
Questions Yes No N/A COMMENTS
Inquiry and update capabilities from application program functions, interfacing DBMS or DD facilities, and DBMS utilities are limited to appropriate personnel. Security functions implemented in the DBMS and DD may only be effective when access to the database is made through the DBMS or DD. Access to DBMS software is protected and controls over changes to the software are in place. Procedures for maintaining security profiles in the DD and security tables in the DBMS are adequate to prevent unauthorized access to sensitive information. There are two main types of utility software. The first type is used in the system-development process to improve productivity, such as program development aids and on-line editors. The second type is used to assist in the management of the operation of the computer system, such as performance monitors, job schedulers, and disk-management systems. Utility software may have privileged access capabilities at all times, some of the time, or never. Privileged access allows programs or users to perform functions that may bypass normal security. Determine that: Access to specific utility files or functions is restricted. Different utilities provide various types of protection. Some utilities establish authorization levels for each protected file or function and check each users authorization level before allowing access. Other utilities use passwords to prevent unauthorized access. Utility software generates an audit trail of use and activity. Some utilities provide detailed audit trails of activity against protected datasets, libraries, and other resources. These audit trails provide information such as user ID, date and time of access, resource accessed, and the type of access. These audit trails also serve as a record of events, including security violations and unauthorized accesses. Precautions are taken to ensure that library manipulation utilities, such as delete and copy, are protected from unauthorized use. Precautions are taken to ensure that only authorized personnel have access to applications running under the control of the utility. Precautions are taken to ensure that only authorized users have access to utilities that can update production libraries and library members. Certain utilities should not be maintained in the production environment. Audit trails produced by utilities are carefully reviewed to identify possible security violations.
bapp03.indd 399 1/31/2012 9:35:45 AM
400 Appendix C
Operating systems are a series of programs that manage
computer resources and serve as an interface between application software and system hardware. These programs manage and control the execution of application programs and provide the services these programs require. Such services may include job scheduling, disk and tape management, job accounting, program compiling, testing, and debugging. Determine that: The use of exits is controlled. Operating-system software may be customized by the use of exits to alter its processing. Exits allow insertion of programs of code to perform additional functions. System programmers activities are closely monitored. System programmers select, install, and maintain systems software. They are highly skilled and have extraordinary access to the most sensitive elements of the computer system. Operating systems use passwords and user IDs to prevent unauthorized users from gaining access to operating-system functions and utilities. Many times these passwords and IDs are defined in a system table or dataset that is activated when the system is generated. Passwords and user IDs are kept confidential. Unauthorized users who can gain access to the system can make unauthorized modifications to systems resources. Access to operating-system software is restricted and controls over changes to the software are in place. Systems and data-security administrators are carefully selected and monitored. They have the authority to modify system functions, including systems-generation procedures and user profiles. Access to operating-system utilities is restricted. Operating systems provide many utilities that can be used to make unauthorized modifications to systems services and resources. Systems generations and re-initializations are monitored because unauthorized generation can result in invalid systems processing. The use of all optional systems-software products, such as on-line editors and TP monitors, is restricted to appropriate authorized individuals. Audit trails are reviewed on a regular basis to determine if any unauthorized access attempts or modifications were made.